我正在尝试使用以下 terraform 代码创建 Azure AD 组
# Required Provider
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0.2"
}
}
required_version = ">= 1.1.0"
}
# Configure the Microsoft Azure Provider
provider "azurerm" {
features {}
....
....
}
data "azuread_client_config" "current" {}
# Variables
variable "ad_groups" {
description = "Azure AD groups to be added"
type = list(object({
display_name = string,
description = string
}))
default = [
{
display_name = "Group1"
description = "some description"
},
{
display_name = "Group2"
description = "some description"
}
]
}
# Create AD Groups and add the Current User
resource "azuread_group" "this"{
count = length(var.ad_groups)
display_name = var.ad_groups[count.index].display_name
description = var.ad_groups[count.index].description
security_enabled = true
prevent_duplicate_names = true
owners = [data.azuread_client_config.current.object_id]
}
我收到以下错误
**Error:** could not check for existing group(s): unable to list Groups with filter "displayName eq 'Group1'": GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
此服务主体在管理组级别具有以下角色
是否需要 Directory.ReadWrite.All 和 Group.ReadWrite.All API 权限?如果没有,它需要什么访问权限?
注意:如果我禁用“prevent_duplicate_names = true”并应用 terraform,则会引发以下错误
GroupsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.
最佳答案
我尝试通过 Postman 在我的环境中重现相同的结果,并得到以下结果:
默认情况下,新创建的应用程序将已添加 User.Read API 权限。
我注册了一个名为 GroupSP 的新 Azure AD 应用程序,并拥有如下 API 权限:
在没有添加任何额外的 API 权限的情况下,我通过 Postman 使用客户端凭据流生成了一个访问 token ,如下所示:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:client_credentials
client_secret:<secret>
scope: https://graph.microsoft.com/.default
回应:
当我使用上述 token 创建具有所有者的 Azure AD 组时,我收到了相同的错误,如下所示:
POST https://graph.microsoft.com/v1.0/groups
Content-Type: application/json
{
"description": "Group with designated owner",
"displayName": "Group1",
"groupTypes": [ ],
"mailEnabled": false,
"mailNickname": "srigroup",
"securityEnabled": true,
"<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1e7169707b6c6d5e717a7f6a7f307c77707a" rel="noreferrer noopener nofollow">[email protected]</a>": [
"https://graph.microsoft.com/v1.0/users/<userID>"
]
}
回应:
为了解决该错误,我向服务主体添加了 Directory.ReadWrite.All API 权限,如下所示:
授予上述权限管理员同意后,我再次生成访问 token 并运行相同查询并成功获得响应,如下所示:
POST https://graph.microsoft.com/v1.0/groups
Content-Type: application/json
{
"description": "Group with designated owner",
"displayName": "Group1",
"groupTypes": [ ],
"mailEnabled": false,
"mailNickname": "srigroup",
"securityEnabled": true,
"<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="127d657c776061527d767366733c707b7c76" rel="noreferrer noopener nofollow">[email protected]</a>": [
"https://graph.microsoft.com/v1.0/users/<userID>"
]
}
回应:
为了确认这一点,我检查了创建 Azure AD 组的门户,并成功添加了所有者,如下所示:
您还可以检查所创建组的审核日志,如下所示:
就您的情况而言,请确保向您的服务主体添加 Directory.ReadWrite.All API 权限,以解决 403 Forbidden 错误。
如果将Directory.ReadWrite.All权限添加到服务主体,则不需要Group.ReadWrite.All权限。 p>
关于Azure : GroupsClient. BaseClient.Get():意外状态 403,带有 OData 错误:Authorization_RequestDenied:权限不足,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/74986447/